Your browser is a tcp/ip relay

I’ve been a longtime fan of fellow hacker Dan Kaminsky, best known for his work in tracking down the spread of the sony rootkit. Recently I spoke with him about his current work, and he summed it up by saying, “I can turn your web browser into an VPN concentrator.” When I stared at him in disbelief he explained that using DNS rebinding he can get the browser to connect to any IP he chooses.

The technique originates in the browser security model, based on same-origin policy. This allows a web browser, either using JavaScript or Flash, to connect back to the same host that the content came from. If the attacker changes where the hostname is pointing to, the browser can connect there. For example, the next time you connect to attacker.com, the DNS server actually serves you a 192.168.1.1 address, allowing the webapp to connect to your internal IP.

I will demonstrate an extension of RSnake and Boneh’s work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page.

I have had for a while a lurking feeling that the Web 2.0 world is full of surprising attack vectors that no one has come around to exploiting. Work like this doesn’t exactly fill me with confidence that the environment is secure.

If you have ever wondered what framework a certain site uses, Dan also gives us p0wf.

But the web has become almost an entirely separate OS layer of its own, and especially with AJAX and Web 2.0, new forms of RPC and marshalling are showing up faster than anyone can identify. p0wf intends to analyze these streams and determine just which frameworks are being exposed on what sites.